Bermuda’s IT law transformation
One of the most important measures of a jurisdiction’s competitive advantage is its ability to promote and regulate the efficiency, reliability and security of its critical infrastructure and essential services.
In a race across all jurisdictions to formulate and implement legal and regulatory frameworks to attract foreign investment, the determinative criteria of information and communications technology safety and quality is second to none.
Bermuda is halfway into 2024, and this year has already been transformative for advanced IT and cybersecurity law and regulation in Bermuda.
Even though those developments continue a recent trend of IT and cyber-law reform in Bermuda over the past few years, the pace of that beneficial law reform this year has been exceptional.
On January 22, the Bermuda Monetary Authority’s 2024 Business Plan confirmed its continuing focus on cyber-risk supervision, its interest in considering how AI will impact financial services, and its commitment to its IT Strategy: Vision 2025.
As well, the BMA has made clear the real connection that exists between IT and cyber operational risk, outsourcing transactions, business continuity planning and data protection across the critical infrastructure that the BMA regulates.
Recently, the Computer Misuse Act 2024 was introduced by the Bermuda Government to provide enhanced legal weapons to fight cybercrime.
Heavily based on British law for those matters, the new Act replaces Bermuda’s previous 1996 statute of the same name and is intended to reflect international best practices to address computing innovations and to greatly enhance penalties.
However, our newest Computer Misuse Act 2024 may not be the final word on computer misuse criminal law reform given the many law reform recommendations that are advanced in Britain’s Criminal Law Reform Network’s 2020 report titled Reforming The Computer Misuse Act 1990. Therefore, more on that front of IT law reform is expected.
On May 31, Bermuda’s new Cybersecurity Act 2024 was passed by the House to address the need for regulatory oversight across numerous essential services and critical infrastructure in Bermuda that the Government will more specifically identify in the weeks ahead.
A previous draft of that legislation had expressly designated industries such as healthcare, telecommunications and power generation and distribution as essential services that would be targeted by the Act, and the draft regulations to the Act will provide more clarity on those intentions.
In passing the Cybersecurity Act, the Government has decided to create a new regulatory regime under ministerial oversight rather than simply directing existing regulators, such as the Bermuda Health Council and the Regulatory Authority, to implement their own models of proportional-risk-based IT and cybersecurity regulation, which would likely follow the BMA’s very successful formulation, implementation and management of such regulations in recent years.
The end result, however, is expected to be very similar across all essential services and their regulators, even if different proportional-risk-based security standards, practices and governance requirements are stipulated under the Act. The Act’s implementation process, including the introduction of all such regulatory standards in the weeks to come, is expected to include diligent industry consultation and the responsive consideration by Government towards improving the Act’s relevance and effectiveness.
Finally, as many have been following, Bermuda’s Personal Information Protection Act 2016 will come into full force at the end of this year.
Indeed, Pipa also includes laws that require IT and cybersecurity safeguards and addresses third-party services such as outsourcing, the transfer of personal information overseas, and related data protection duties and responsibilities.
Therefore, companies that are subject to IT regulation as critical infrastructure, whether as a financial service under the BMA’s regime or as an essential service under the Cybersecurity Act, will also be required to comply with Pipa.
There is no question that the legal landscape of IT and cybersecurity in Bermuda is undergoing a big change in all of its facets, from the fundamental standards of diligent corporate governance, to all of the commercial IT service and outsourcing agreements that every critical infrastructure participant enters into with their affiliates and commercial service providers.
• Duncan Card is a partner in Appleby’s Bermuda office, specialising in privacy law, intercompany and commercial outsourcing transactions, and technology contracts. Duncan has provided specialised privacy advice for a combined 20 years in Bermuda and in Canada where Bermuda’s privacy law primarily originated. He advises Bermudian-based and international clients on Bermuda’s privacy law, including both private and public sector organisations. He is a frequent author, provider of organisation Pipa seminars, and a guest conference speaker on privacy law and compliance topics